Many local governments and schools invest a considerable amount of resources into their information technology (IT) systems including, but not limited to, costs for computers and related hardware equipment, software, Internet access, cybersecurity and personnel training. They rely on IT systems for storing and processing important financial and nonfinancial information, accessing the Internet, communicating through email and reporting to State and federal agencies. These systems and the data they hold are valuable and need to be protected from unauthorized, inappropriate and wasteful use. Protecting IT assets is especially important given the ongoing and escalating prevalence of ransomware¹ attacks against local governments and schools.

Although no single practice or policy on its own can adequately safeguard your IT investments, a number of internal controls appropriately implemented and monitored, collectively increase the odds that your systems and data will remain safe. Management, including the governing board, is responsible for ensuring that the right IT internal controls are in place and performing as intended. This can be a challenging task, given the rapid pace of technological innovation, the ever-increasing sophistication and number of cybersecurity threats and the fact that IT is integral in nearly all aspects of local government and school operations.

The following guidance is intended to make oversight less daunting by providing a path for understanding and strengthening IT internal controls. It includes a Security Self-Assessment, structured around 12 key areas of IT security, that is intended to help you exercise effective IT operation oversight. This serves as a starting point for discussions with personnel who are responsible for the day-to-day management of your IT operations. Because the assessment is geared toward small- to medium-sized computing environment operations, we limited the number of questions. In many cases, there are more questions you could and possibly should ask to fully evaluate and monitor your IT internal controls.

¹ A type of malicious software that prevents access to a computer or electronic device unless a ransom payment is made.

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf